2019 Year of Compliance | NAVEX Global

ADAPT Your COI Program

Conflict of interest (COI) programs are at an apparent crossroads. Increasingly, compliance officers are tasked with creating COI policies and procedures to address an ever-widening range of actual and perceived risk. At the same time, new legislation and social movements have placed a premium on employee rights and privacy. These conflicting expectations present compliance professionals with an almost insurmountable charge: how do they reduce the risk exposure of conflicts while increasing flexibility for employee interests?

Fortunately, these competing forces aren’t as incompatible as they seem. In the past few years, consensus has built around a set of principles and practices that empower ethics and compliance (E&C) officers to improve reporting and accountability while protecting employees’ well-being. Through assessing risk, designing flexible programs, automating processes, promoting an ethical workplace and training employees at all levels (ADAPT), compliance professionals can build COI programs that meet these competing needs.

The Changing Approach to COI

The Traditional View

Identifying and managing conflicts of interest is one of the most crucial actions a compliance officer can undertake. Conflicts of interest, generally defined as situations in which an individual or organization has an opportunity to exploit their professional position for personal gain, can metastasize into corruption if undetected or ignored. Michael Volkov, compliance attorney and CEO of the Volkov Law Group, notes that several times in his consulting experience “what started as a conflict of interest investigation mushroomed into a fraud investigation where several actors, often relatives, were stealing from the company.” He advises making a strong COI policy “a centerpiece of a company’s corporate governance framework.”

Developing such procedures, however, can be complex. Traditionally, companies have adopted “zero-tolerance” COI policies based on legislative acts which themselves resulted from high-profile wrongdoing. The self-dealing and uncontrolled conflicts of interest that contributed to the Great Depression resulted in the Pecora Commission, the 1933 Securities Act and the 1934 Securities Exchange Act. The Sarbanes-Oxley Act of 2002 was a product of the fall of Enron. More recently, the Great Recession of 2008 spawned the Financial Crisis Inquiry Commission and the 2010 Dodd-Frank Act.

The cycle of scandal, outrage, and reform that spawned these laws is mirrored in many zero-tolerance COI programs today. Sporadic investigative purges are followed by periods of complacency that make crisis management a default state of operating. These programs also often conflate the existence of potential conflicts with actual malfeasance. At a recent Open Compliance & Ethics Group Roundtable, compliance experts bemoaned this practice of “conflict-shaming,” noting, “it’s an important myth to dispel that all conflicts are bad – which isn’t true and shouldn’t be tolerated.”

This approach further encourages firms to treat all COI as uniformly toxic, resulting in policies that disproportionately negatively impact low-level employees. In their article “Shifting Perspectives on COI in the Modern Workforce,” compliance attorneys Jeff Kaplan and Rebecca Walker use the example of a workplace relationship to illustrate this issue. A romance between junior employees is unlikely to cause irreparable harm, yet a zero-tolerance policy treats this relationship with the same degree of severity as one between high-ranking executives or a manager and subordinate.

A New Perspective

More recently, a new approach to COI has taken hold. The reasons for this are various. From a legal perspective, the growing adoption of privacy regulation such as the European Union’s General Data Protection Regulation (GDPR) has placed renewed emphasis on privacy rights, including those of employees. Social media has also played a role, enabling movements like #MeToo. Unlike the outcry after the fall of Enron or the 2008 recession, these new media campaigns have an evergreen quality, fueled by the growing number of survivors and their stories. This has helped create what Kaplan and Walker refer to as a state of “hyper-transparency.”

The evolution of the compliance profession has accelerated this change. The number of companies with mature compliance infrastructures has grown significantly over the past decade; according to NAVEX Global’s 2018 Ethics & Compliance Policy & Procedure Management Benchmark Report, more than a third of all businesses surveyed had compliance programs that could be characterized as either advanced or maturing. These programs “are more proactive when it comes to creating and reviewing their policies,” enabling compliance officers to target assessments and design solutions tailored to the companies they serve. Firms with mature compliance programs also focus on creating a “culture of compliance,” harnessing the motivations and preferences of their workforce to increase COI effectiveness.

Technological advancements have likewise played an important role in COI policy innovation. This is especially true with respect to automated disclosure and COI training. Automated policy management solutions allow compliance officers to distribute disclosures to all their employees and enable firms to create easy, unthreatening ways to make disclosures.

Key Steps for Your Organization

Thanks to these changes, proactive companies are now able to create and implement COI programs that improve their company’s protection from risk while respecting the rights of employees and the realities of the modern workplace. These steps of assessing risk, designing tailored policies, automating processes, promoting a culture of compliance, and training your workforce – a process we refer to as ADAPT – can help compliance officers revitalize their COI policies and procedures.

1. Assess your risk. The first, fundamental step for any effective COI program is a thorough risk assessment. When conducting your assessment:

Be proactive. One of the most common mistakes E&C officers make is relying on one-time self-reporting for their COI risk assessment. However, employees frequently fail to report potential conflicts, often because they haven’t been trained to properly identify COI (more on that in a moment). Instead, use self-reports as a starting point for verification. In the words of E&C Managing Counsel Gwendolyn Hassan, “There is no substitute for simply asking employees about their relationships and potential conflicts.”
Target common risk areas like relationships with customers, competitors and suppliers, as well as familial ties. Review outside activities like consulting or public speaking, or any boards that high-level employees might serve on.
Tailor disclosure requests. High-level executives and employees with purchasing authority face a greater range and pervasiveness of risk than your average employee, and your disclosure policies should reflect that reality. Matching your COI disclosure requests to an employees’ actual level of risk respects their privacy while allowing you to focus your time and efforts where they are most needed.
Start early. Begin the disclosure process before you hire, starting with any IP, NDA, or non-compete agreements that might lead to potential conflicts.

2. Design detailed COI programs that reflect your specific needs. Once your initial assessment is complete, you will want to create COI policies and procedures that match your institutional profile. When designing you COI policies:

Be flexible. As Kaplan and Walker note, “Not all conflicts are created equal.” Businesses are increasingly discovering cultural benefits to tolerating a certain level of risk, provided it is disclosed and documented early. Workplace romances may be permissible, provided both parties immediately report it. Similarly, an employee whose family member works for a vendor may be able to alleviate any COI by signing a recusal agreement covering any interactions with that company.
Be responsive. The central measure of a COI program’s effectiveness is its response rate. According to a recent Ethics & Compliance Initiative survey, less than half of workers who witness COI misconduct report it. This, according to Volkov, is largely because employees do not believe their company will act on it. This failure is critical, as COI investigations are a leading way for businesses to uncover theft, corruption and fraud. Robust reporting and tracking can help E&C officials increase their COI program responsivity.

3. Automate your process. In order to meet the needs of a modern COI program, E&C officers must automate their COI procedures. Software solutions can not only increase efficiency and effectiveness, but allow for an incremental, evergreen approach to disclosures and training, encouraging employees to remain informed and engaged. Automation can improve:

Policy. Policy-generating software solutions can help you design custom policies that clearly define what should be disclosed.
Process. Automated voluntary disclosure processes offer employees a non-intimidating way to provide open and honest disclosures.
Training. Customized, interactive training units enable businesses to meaningfully educate their employees to identify and report COI.
Tracking. Digital monitoring systems provide compliance officers the ability to track disclosures, reports, training, and overall communication.

4. Promote a culture of compliance. As Rose Bryant-Smith, channeling Peter Drucker, recently noted, “culture eats compliance for breakfast.” The success of a company’s COI program ultimately rests on its ethical culture. To provide an environment that enables a COI program to thrive, companies should:

Be consistent. “A company has to make a real commitment to enforcing its conflict of interest policy at every level,” writes Volkov. If employees sense they are operating under a stricter set of rules than their superiors, they will be less likely to participate in a COI program. Remember, the mere appearance of a COI can negatively impact an organization, so it is important that C&E programs place a premium on transparency and accountability.
Choose ethical leaders. Admittedly, compliance officers can’t choose who leads their organization. They can, however, choose whom they work for, and any C&E professional would do well to remember that ethical leaders are essential for effective compliance management. This isn’t mere opinion; in his 2012 address before the National Society of Compliance Professionals, Director of the SEC’s Office of Compliance Inspections and Examinations Carlo V. di Florio listed ethical leadership as one of the required factors for an effective compliance program. Organizations, he asserted, should “exclude from any position of leadership any individual who has engaged in conduct inconsistent with an effective compliance and ethics program – in other words, that the fox is not guarding the henhouse.”

5. Train your employees. Perhaps most importantly, an effective COI program must train its workforce to identify, disclose and report potential conflicts and/or violations. According to the latest research, a successful COI training program:

Puts policy into context. Simply informing employees about a company’s COI policy does not constitute proper training. Those who work for you need to know how to put those policies into practice. According di Florio, such training should be “tailored to specific conflicts in the business model” and should clearly communicate how to “identify, escalate and remediate” COI. Interactive training modules allow employees to put their training into context, practicing real-world reporting and disclosure scenarios.
Is periodically and uniformly applied. The current state of COI training is decidedly uneven; according to NAVEX Global’s 2018 Ethics and Compliance Training Benchmark Report, fewer than half of surveyed organizations with compliance programs rated “reactive” or “basic” planned to provide COI training in the coming year. Moreover, while only 6% of senior leaders and 11% of non-managers failed to receive training on conflicts of interest, nearly a quarter of board members never received such training. Still, COI training is on the rise; it remains one of the most popular training topics among businesses of all size, and a majority of companies overall provide yearly training to their employees.

Tools & Resources

» SAMPLE POLICY: Conflict of Interest & Outside Employment Sample Policy

» USE CASE: Automate Your Conflict of Interest Process

» BENCHMARK REPORT: 2018 Policy & Procedure Management Benchmark Report

» BENCHMARK REPORT: 2018 Training Benchmark Report

» VIDEO: Tips for Resolving Conflicts of Interest

» TRAINING: Conflict of Interest Courses

Relevant Blog Articles

» You Collect Conflict of Interest Disclosures – Then What?

» Shifting Perspectives on COI in the Modern Workforce

» 4 Questions About the Yates Memo’s First Year

» Root-Cause Analysis from a Risk Assessment & Internal Investigation

How Can It Help?

Good analysis and benchmarking of hotline data helps organizations answer crucial questions about their ethics and compliance program including:

Does our culture support employees who raise concerns?
Are our communications reaching the intended audience and having the desired effect?
Are our investigations thorough and effective?
Do we need more training?
Do we need to review or update our policies?
Do employees know about our reporting channels?

Comparing internal data year-over-year to help answer these questions is important to maintain an effective program that encourages employees and bolsters business success. Getting a broader perspective on how your performance matches up to market and industry norms is critical.

For each benchmark, you’ll want to know:

Why the benchmark is an important metric
Instructions on how to calculate the benchmark
How to use the findings and make recommendations in your organization

To help, each year NAVEX Global takes anonymized data collected through our hotline and incident management systems and creates our annual Hotline Benchmark Report. Because we have the world’s largest and most comprehensive database of reports and outcomes, ethics and compliance professionals can trust our benchmarks to help guide decision-making and better understand how their programs stack up against best practices and trends.

Benchmarking your program annually requires a commitment to measure culture and compliance initiatives on a large scale, improve program effectiveness and resolve gaps that may be undermining your efforts.

New Benchmarking Data

This year’s analysis of our data from 2,738 hotline and incident management customers who received ten or more reports during 2018 revealed changes in several key data points that compliance professionals can use to benchmark and assess their program’s performance.

Here is a preview on some of the new findings:

For the first time, we received and analyzed over one million individual reports
While the median of Reports per 100 Employees remained consistent overall, organizations that track all intake methods are managing a record number of reports
Reports of harassment and discrimination increased
Follow-ups to anonymous reporting dropped to a disappointing level
Case closure time improved to a median of 40 days in 2018
Program inquiries dropped to an all-time low

As ethics and compliance programs continue to mature, benchmarking should play an important role in the assessment of a compliance program’s effectiveness and be used to demonstrate return on investment.

As we learned from the George Washington University study, Evidence on the Use and Efficacy of Internal Whistleblower Systems, there is a strong correlation between increased reporting volumes and positive business outcomes – from increased return on assets to decreased levels of litigation. Organizations that view their internal reporting systems as a strategic advantage rather than a requirement will have more opportunity to address issues quickly and before they are reported externally.

Key Steps for Your Organization

Ethics and compliance officers have many opportunities to leverage the data in their hotline and incident management systems to improve their compliance programs – and their organizational culture of integrity and respect. This year’s benchmarks point to several opportunities to increase program effectiveness:

Read the 2019 Ethics & Compliance Hotline Benchmark Report to get a full picture of today’s industry norms, new key findings and best-practice recommendations on how to collect and use your own data.
Get a more complete picture of your risks by documenting all reports in one centralized incident management system.
Aim to get more reporter follow-ups to anonymous reports.
Train and communicate consistent definitions for key reporting topics like retaliation, harassment and discrimination.
Encourage employees to see your hotline as a resource for information, not just a channel for reporting.

Hotline data that is carefully tracked, reviewed, benchmarked and presented with sufficient context often provides the early warning signs needed to detect, prevent and resolve problems.

Tools & Resources

» BENCHMARK REPORT: 2019 Ethics & Compliance Hotline Benchmarking

» WHITE PAPER: Strength in Numbers: The ROI of Compliance Program Hotline Reporting

» DEFINITIVE GUIDE: Incident Management—Going Beyond a Whistleblower Hotline

» USE CASE: A Whistleblower Hotline for the Global Enterprise

Relevant Blog Articles

» Managing Employee Risk Demands Data, Not Guesswork

» The Whistleblower Hotline Should Be Legal Counsel’s Best Friend

» New Whistleblower Hotline Research Quantifies the ROI of Trust & Transparency

» Neglected Hotlines Are an Exception Not the Rule

Tools Are Important

One collection of terms we hear a lot is “tools, processes and people.” All three need to be successfully deployed to make a compliance program run properly while also creating an organizational culture that supports compliance with policy and the law. This is especially true with one of the largest and perennial challenges facing compliance officers: whistleblower reporting, incident management and retaliation risk. With unprecedented regulatory focus on these issues by numerous agencies and risk getting higher with every headline grabbing agency action, these topics need to become a priority of discussion with your board and C-suite.

The Important Tools for Whistleblower and Retaliation Risk

An organization’s whistleblower hotline (or integrity helpline), along with a robust incident management system, are crucial and are often required tools—but these are still only tools. The hotline and other designated reporting avenues are conduits for employees to bring suspected misconduct to the attention of managers who are supposed to identify and prevent rising issues. Companies can (and do) implement elaborate hotline systems that offer anonymity and field complaints in multiple countries and languages. There are even advanced systems that screen for implicated parties before distributing reports to compliance professionals.

Still, in the end, a hotline is just a hotline and all reporting avenues are only as good as the responses from the people who are given the message. If those who are fielding allegations don’t respond correctly, an organization will have a mess on its hands no matter what reporting tool is used. When it comes to hotlines, the “easy” part is setting up a phone number. The hard part is what the organization does with reports once it receives them.

Processes & People Are Critical

Processes and people are every bit as important as the tools themselves. In media reports of organizational misconduct, almost inevitably two stories ensue: First, employees insist they did try to raise their concerns to managers. (Note: the SEC Office of the Whistleblower has highlighted that 80 percent of the tips received have first been reported internally.) And second, they suffered some form of retaliation for doing so.

Ignored or delayed complaints—or worse, complaints sparking retaliation—are serious concerns for an organization and for the credibility of the compliance team that manages its program. These issues happen regardless of the hotline tool used because they are triggered by failures of policy, process, training and most importantly – culture.

Let’s put some hard data on this point. Our NAVEX Global annual benchmarking reports review a variety of key metrics related to hotline reports, processes and outcomes. Over the last seven years, the time it takes organizations to close a case has risen to risky levels – a median of 44 days in 2017 up from 32 days in 2011. Reasons given for the delays include insufficient resources and complexity of cases in the current regulatory environment. As a compliance officer, I get this, but for the employee who has raised a concern and is waiting for a response, every day can feel like an eternity and an opportunity for retaliation.

There is one other process-related practice that is important to highlight. While the compliance office is not always the team that conducts actual investigations, it is critically important for it to ensure that all issues raised through hotlines are properly investigated and appropriate action is taken in a timely way. Too many organizations use their reporting systems as a clearing house to farm out reports to other organizations for action and then immediately close cases with no visibility into actions, timing or outcomes. If we abdicate responsibility with no follow-up, we put our credibility on the line and increase the potential for bad outcomes.

Furthermore, most employee concerns about misconduct don’t come through the hotline. In most cases, employees bring their issues directly to their managers. When managers turn a deaf ear to those complaints, it is because they either don’t know what to do with a complaint or don’t want to take the necessary steps to address the concern. We as business leaders have an obligation to assist managers with this important responsibility. We need to provide them with training and tools on how to respond, enter and track issues they receive for effective resolution and closure.

Policies and processes deserve the most attention because the stakes are so high when getting that part of a whistleblower program wrong. Failures at this level convey to employees, regulators, investors, customers and the public that your culture is wrong. That, in turn, can lead to steeper regulatory fines, loss of reputation, loss of good employees and even loss of business.

So, what do we do?

Key Steps for Your Organization

Following are 10 steps for organizations to consider related to processes and people to help avoid the pitfalls related to managing a reporting system.

First and foremost, accept that internal reporting is a good thing; that the majority of reporters do so with good intentions; and take all reports seriously.
Treat your employees as reporters, not as whistleblowers.
Establish strong and consistent investigation and discipline processes and policies.
Train investigators on proper techniques and required reporting.
Communicate with reporters regularly throughout investigation processes.
Train on retaliation at all levels of the organization – including the front line.
Test and assess organizational culture and employee beliefs around speaking up and fear of retaliation.
Monitor for retaliation and make retaliation reporting a regular board-level discussion.
Manage or oversee all reports to closure. Don’t abdicate responsibility for reports by forwarding them to another department and closing the report without further review.
Raise issues of resource constraints that are delaying case closure times to the board level if needed.

Tools & Resources

» ARTICLE: Risk & Compliance Magazine: Managing Retaliation Claim Risks

» WEBINAR: Retaliation Risk Management: Getting Ahead of the Problem

» WHITE PAPER: Modern Whistleblower Retaliation Risk Require a Modern Framework

Relevant Blog Articles

» Retaliation: The Feedback Loop that Quiets Company Culture

» The Cost of Incivility in the Workplace

» Don’t Lose Focus on What Really Drives External Reporting

» Seizing the Moment for Sustainable Change on Harassment & Retaliation

Review, Refresh, Revitalize

When was the last time you assessed or trained against your code of conduct? Is it in line with your values and updated to reflect societal changes? There’s a lot at stake. Your code is much more than a single policy. It is the overarching communication tool that summarizes all key policies at a high level.

A code of conduct clearly points out expected behaviors. It demonstrates to employees, as well as external stakeholders, an organization’s commitment to core values. An effective code not only communicates the organization’s mission, but it also serves as an employee resource—a go-to place when questions about behavior or policies arise.

To keep pace with an ever-changing workforce and workplace climate, codes of conduct need to be living documents that are regularly reviewed, revised and updated. Along with aligning to changing regulations, your code needs to resonate with your target audience – your employees.

If a code of conduct doesn’t mention behaviors that concern employees (e.g. harassment, social media, human rights, social responsibility, privacy and bribery), employees will not pay it much attention. And if the related behaviors are unenforceable or unachievable (e.g., “don’t use company assets for any personal matters”), employees will tune out.

Users need to be drawn in to truly comprehend what is arguably the foundation of your compliance and ethics program. If codes are too legalistic and wordy, if some topics are overdone, if a written or online version of the code is dull without graphics or interactivity, readers may glaze over important details. And, if you’re a global company and use US-centric images or language, you are legitimately at fault for not vetting a code with internationally-based colleagues.

If a code is structured or presented in a way that doesn’t properly present both values and risks and uses so many different writing styles that your audience has trouble following along, you’ll lose attention and, worse, interest. If your employees are comfortable with technology and have regular access to the internet, an online, interactive code may be more effective than a 20-page expensive print document.

The best codes are developed by those who know their audiences as well as know that a code is something that needs to be used, not just published.

Traits of a Best-in-Class Code

The codes of leading organizations share common best-practice traits, including:

Alignment with an Organization’s Risk Profile: Leading organizations understand their risk profile and benchmark their code of ethics for employees against industry best practices to ensure relevancy.
Regularly Updated: Leading organizations update their code every two years – or whenever an event such as a change in leadership, geographic footprint, merger or acquisition prompts the need for an update.
Appropriate Tone & Language: Good codes of conduct use tone and language that reflects the organization’s culture. Know your audience. Your code represents your compliance program.
Leverages Links to Other Resources & Policies: The purpose of the code of conduct is to outline the risks and steps stakeholders should take if they have additional questions or need direction. Avoid embedding an entire policy within a code. Best practice codes provide links to additional resources or supporting policies.
Promotes the Organization’s Brand and Values: The code of conduct should clearly outline your organization’s driving principles, a great way to reinforce your values. Use the Code to promote your organization’s brand and reputation.
Serves as an Engaging, User-Friendly Reference Tool with Key Design Elements: Use style elements like colors, callout boxes, branding and video vignettes. Video is essential in breaking up the monotony of text and truly engaging your readers.

Key Steps for Your Organization

Before diving into a code of conduct refresh project, it’s good to revisit the core functions of a code of ethics:

Set the tone for your corporate culture and provide a platform for virtually every other policy you implement.
Communicate expected behavior for employees and point the way to additional resources when situations are complex, difficult or sensitive.
Reduce legal liability by addressing your organization’s key ethics and compliance risks.
Represent your organization’s commitment to integrity to external constituents including business partners and regulators.

With those goals in mind, below are five steps to consider as you’re working toward taking your code of conduct from good to great.

TAILOR TO YOUR PEOPLE

Many organizations’ existing codes of conduct have provisions and perspectives that are worth retaining. Going from a good code of conduct to an excellent code of conduct might be more about tone, design and style—which should reflect your organizational culture and priorities—than overall message or policy.

MAKE IT INTUITIVE. MAKE IT USABLE

Employees who want a quick answer may feel confused and frustrated if they can’t understand what it says—a common problem when a committee of lawyers does most or all of the writing. It’s especially important to clearly describe how employees can ask questions or flag problems, usually through the hotline or helpline. Consider how design impacts readability as well. Short paragraphs are much easier to read than long blocks of copy.

ALIGN WITH YOUR ORGANIZATION’S RISK PROFILE

A best practice for any code of conduct includes making it relevant and complete given a company’s industry and global risk profile. Risk profiles are not static. Collaborate with other departments in your organization to ensure that the code of conduct touches on those issues that are most important.

INCORPORATE EMERGING ISSUES

The world is changing quickly, and codes need to change with it. For example, it might be hard to remember, but just a few years ago, social media risk wasn’t a concern at most companies and likely wasn’t addressed in their codes of conduct. Money laundering used to be something only financial organizations had to worry about. But these issues are now commonly covered in the codes of conduct at many diverse organizations. What are emerging issues that impact your organization? Consider covering them in your code.

ENSURE EMPLOYEES KNOW THEY’RE PROTECTED

Your code of conduct cannot cover everything, so it’s essential that it point employees to additional resources they can turn to for help (calling the ethics hotline, talking to their managers, or members of the HR or E&C teams, etc.). Best practice codes of conduct clearly communicate that employees who report possible misconduct or ask questions will be protected—and underscore the fact that acts of retaliation are acts of misconduct that could result in disciplinary action up to and including dismissal.

Conclusion

Regularly assessing your code of conduct helps you ensure that you’re consistently underscoring your values—and keeping them top-of-mind with employees. Taking a code from good to great can mean a world of difference for all those who rely on it.

Tools & Resources

» REFERENCE: NAVEX Global’s Code of Conduct

» INTERACTIVE: Definitive Guide to Your Code of Conduct

» WHITE PAPER: Updating Your Code of Conduct: A Step-by-Step Approach

» EBOOK: The Crucial Document Every Organisation Needs

Relevant Blog Articles

» Seven Essential Resources for Strengthening Your Code of Conduct

» How to Simplify Your Code of Conduct Attestation Language

» Code of Conduct: Your Corporate Constitution

» Can Your Employees Understand Your Policies? How Readability Impacts Your Ethics

What is the Revision?

In November of 2018, the U.S. Department of Justice revised principle 9-28.700 – The Value of Cooperation in its Justice Manual – aka the Yates Memo.

When the Yates Memo originally shook the compliance world in the fall of 2015, it became synonymous with unwavering commitment to individual accountability for wrongdoing. Any revisions therefore would strike discussion over whether individual accountability is still a priority for the DOJ. It is.

A review of Deputy Attorney General Rod Rosenstein’s announcement of the revisions at the 35th International Conference of the Foreign Corporate Practices Act, should assuage any concern that the Department is straying away from holding wrongdoers accountable. In no uncertain terms, Rosenstein stated: “Under our revised policy, pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation.”

Instead of a departure from accountability, the revisions are designed to increase enforcement effectiveness and efficiency surrounding individual accountability. This reevaluates the “all-or-nothing” approach intrinsic to the Yates Memo. Previously, corporations would need to provide all relevant information about every individual involved in a potential wrongdoing. Even Rosenstein remarked, at first “it seemed like a great idea.” However, when it comes to implementation, the realities of “all-or-nothing” result in a lot of “nothing” for companies as well as enforcement agencies.

Instead of identifying every individual involved, the revised policy primarily focuses on identifying individuals substantially involved. The principle reads:

“In order for a company to receive any consideration for cooperation under this section, the company must identify all individuals substantially involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all relevant facts relating to that misconduct.”

Realistic Implementation

Nuances of good faith are also interwoven into the policy. Discovery efforts necessary to uncover all information about wrongdoing can usurp disproportionate resources and people hours for both corporations and regulators. It also pushes investigations down rabbit holes to return insignificant information about individuals who ultimately may not face prosecution. These are the inefficiencies the revisions aim to ameliorate. Simply put, the DOJ wants all the information a corporation has available and expects reasonably thorough investigations to uncover the necessary relevant information to prosecute key players. This is the key to credit.

"Department attorneys should vigorously review any information provided by companies and compare it to the results of their own investigation, in order to best ensure that the information provided is indeed complete and does not seek to minimize, exaggerate, or otherwise misrepresent the behavior or role of any individual or group of individuals."

Furthermore, these revisions may alleviate the original internal branding concerns coming from the compliance industry about the Yates Memo. When every individual involved in a scheme needed to be identified, internal compliance and legal departments turned into aggressive internal investigators, often including investigating innocent employees who unknowingly happened to be involved in fraudulent schemes. Not surprisingly, this was not a good look for internal departments already struggling with rebranding themselves as teams focused on protecting their people.

Ultimately, these policy changes do not indicate a shift away from the adamancy of individual accountability in the Yates Memo, but rather aligns the language of the law with the realistic implementation of law enforcement.

Key Steps for Your Organization

Since the 2015 release of the original memo, every compliance officer and general counsel has discussed how it represents a fundamental change in interactions with their peers and internal clients. So, what can professionals continue (or start) doing to ensure compliance with the new revisions?

AVOID EXTERNAL INVESTIGATIONS

The best way to avoid an external investigation is to ensure that employees feel confident enough in their organization’s reporting infrastructure and policies that they feel they can report issues without reprisal—and that management can learn of issues and mitigate problems before they turn into potential illegal or unethical behavior. The fear of retaliation may be even higher if employees are reporting on a senior executive, but those are precisely the kind of managers that the Yates Memo contemplates as possible targets.

ENCOURAGE SPEAKING UP & TRAIN PROPERLY

Companies need to reassure employees and encourage them to come forward using the appropriate channels for reporting. Accordingly, this encouragement should also come from the proper training of internal personnel. Being able to successfully conduct witness interviews and manage reports is essential for building trust with those coming forward with a claim of misconduct. Investigations are now fair game for prosecutors, so having it done impartially and effectively is also critical.

IMPLEMENT POLICIES & PROCEDURES

Apart from ensuring reporting mechanisms are well-publicized and defined in company policies, they need to be perceived as credible by employees, vendors, suppliers, and members of the general public—and audited regularly for effectiveness. There should be a company procedure in place to conduct audits, assessments and employee surveys to get a benchmark for effectiveness. Data privacy and protection should also be written into the policies should an international investigation take place. And, the procedure should confirm that any document retention and destruction policy is updated and regularly audited, publicized and attested to by internal personnel.

QUESTIONS TO ASK

Senior management, counsel, and the board should agree upon certain core principles and be able to answer the following questions:

When should investigations be handled internally or externally and who should retain the counsel? In some cases, the board may want to retain counsel instead of allowing the general counsel to handle the matter.
What will be the policy if a senior manager or executive refuses to answer questions or insists on having counsel present? Who will pay for the counsel?
Does the board need additional training on how Yates could affect their operations and decisions that the board may need to make regarding disclosing sensitive information about high-level personnel or even board members themselves?
How will the procedures put in place affect voluntary disclosures under other legal regimes and who in the organization should have ultimate responsibility for making these decisions.

Given how quickly the compliance world is changing, a new tone from Washington is something leaders of organizations can’t afford to ignore. The above questions are just a sampling of what boards and senior management should be considering, preferably with guidance from outside counsel.